CVE-2013-2251

CRITICAL KEV NUCLEI

Apache Archiva 1.3-1.3.8 - Remote Code Execution via OGNL Expression Injection

Title source: llm

Exploitation Summary

CVE-2013-2251 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 4 public exploits from researchers including Takeshi Terada, Metasploit, nth347, including a Metasploit module exploits/multi/http/struts_default_action_mapper. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a detailed writeup explaining the Struts2 Prefixed Parameters OGNL Injection Vulnerability (CVE-2013-2251), including technical details, proof-of-concept URLs, and mitigation recommendations. It describes how insecure handling of prefixed parameters leads to arbitrary Java method execution.

Description

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

Exploits (4)

exploitdb WRITEUP VERIFIED

by Takeshi Terada · textwebappsmultiple

https://www.exploit-db.com/exploits/44583

View Code ZIP pw:eip

This is a detailed writeup explaining the Struts2 Prefixed Parameters OGNL Injection Vulnerability (CVE-2013-2251), including technical details, proof-of-concept URLs, and mitigation recommendations. It describes how insecure handling of prefixed parameters leads to arbitrary Java method execution.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Struts v2.0.0 - 2.3.15

No auth needed

Prerequisites: Target application using Struts2 with DefaultActionMapper · Network access to the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/27135

View Code ZIP pw:eip

This Metasploit module exploits CVE-2013-2251, an OGNL injection vulnerability in Apache Struts 2 DefaultActionMapper, allowing remote code execution via maliciously crafted parameters prefixed with 'action:', 'redirect:', or 'redirectAction:'.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Struts 2 before 2.3.15.1

No auth needed

Prerequisites: Target must be running a vulnerable version of Apache Struts 2 · Network access to the target's HTTP service

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by nth347 · poc

https://github.com/nth347/CVE-2013-2251

View Code ZIP pw:eip

This PoC demonstrates CVE-2013-2251, a vulnerability in Apache Struts 2 where improper parameter handling allows remote command execution. The provided code sets up a Tomcat server with a vulnerable Struts 2 action (WelcomeUserAction) to replicate the exploit scenario.

Classification

Working Poc 80%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Struts 2 (versions before 2.3.15.1)

No auth needed

Prerequisites: Apache Struts 2 vulnerable version · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Takeshi Terada, sinn3r, juan vazquez · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_default_action_mapper.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2013-2251 in Apache Struts 2 by injecting OGNL expressions via the DefaultActionMapper's 'redirect:' prefix, leading to remote code execution. It supports both Windows and Linux targets, downloading and executing a payload via HTTP.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Struts 2 before 2.3.15.1

No auth needed

Prerequisites: Network access to the target Struts application · A writable directory on the target (for Linux)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution

CRITICALby exploitation,dwisiswant0,alex

Shodan: http.html:"apache struts" || http.title:"struts2 showcase" || http.html:"struts problem report"

FOFA: body="struts problem report" || title="struts2 showcase" || body="apache struts"

References (17)

Core 17

Core References

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2251

Third Party Advisory x_refsource_confirm

http://www.fujitsu.com/global/support/software/security/products-f/interstage-bpm-analytics-201301e.html

Patch, Third Party Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/90392

Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2013/Oct/96

Exploit, Third Party Advisory x_refsource_misc

http://cxsecurity.com/issue/WLB-2014010087

Third Party Advisory vendor-advisory x_refsource_cisco

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131023-struts2

Patch x_refsource_confirm

http://struts.apache.org/release/2.3.x/docs/s2-016.html

Product x_refsource_confirm

http://archiva.apache.org/security.html

Broken Link vdb-entry x_refsource_osvdb

http://osvdb.org/98445

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1032916

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/61189

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1029184

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/64758

Patch, Third Party Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://seclists.org/oss-sec/2014/q1/89

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/159629/Apache-Struts-2-Remote-Code-Execution.html

Scores

CVSS v3 9.8

EPSS 0.9433

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2022-03-25

VulnCheck KEV 2020-10-14

InTheWild.io 2022-03-25

ENISA EUVD EUVD-2022-2328

CWE

CWE-74

Status published

Products (16)

apache/archiva 1.2

apache/archiva 1.2.2

apache/archiva 1.3 - 1.3.8

apache/struts 2.0.0 - 2.3.15

fujitsu/gp-s_firmware

fujitsu/gp5000_firmware

fujitsu/gp7000f_firmware

fujitsu/interstage_business_process_manager_analytics 12.0

fujitsu/interstage_business_process_manager_analytics 12.1

fujitsu/primepower_firmware

... and 6 more

Published Jul 20, 2013

KEV Added Mar 25, 2022

Tracked Since Feb 18, 2026